{
 "cells": [
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "# T1027.002 - Obfuscated Files or Information: Software Packing",
    "\n",
    "Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.(Citation: ESET FinFisher Jan 2018) \n\nUtilities used to perform software packing are called packers. Example packers are MPRESS and UPX. A more comprehensive list of known packers is available, (Citation: Wikipedia Exe Compression) but adversaries may create their own packing techniques that do not leave the same artifacts as well-known packers to evade defenses.  "
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "## Atomic Tests"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {},
   "outputs": [],
   "source": [
    "#Import the Module before running the tests.\n# Checkout Jupyter Notebook at https://github.com/haresudhan/TheAtomicPlaybook to run PS scripts.\nImport-Module /Users/0x6c/AtomicRedTeam/atomics/invoke-atomicredteam/Invoke-AtomicRedTeam.psd1 - Force"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "### Atomic Test #1 - Binary simply packed by UPX (linux)\nCopies and then runs a simple binary (just outputting \"the cake is a lie\"), that was packed by UPX.\nNo other protection/compression were applied.\n\n**Supported Platforms:** linux\n#### Attack Commands: Run with `sh`\n```sh\ncp PathToAtomicsFolder/T1027.002/bin/linux/test_upx /tmp/packed_bin && /tmp/packed_bin\n```"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {},
   "outputs": [],
   "source": [
    "Invoke-AtomicTest T1027.002 -TestNumbers 1"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "### Atomic Test #2 - Binary packed by UPX, with modified headers (linux)\nCopies and then runs a simple binary (just outputting \"the cake is a lie\"), that was packed by UPX.\n\nThe UPX magic number (`0x55505821`, \"`UPX!`\") was changed to (`0x4c4f5452`, \"`LOTR`\"). This prevents the binary from being detected\nby some methods, and especially UPX is not able to uncompress it any more.\n\n**Supported Platforms:** linux\n#### Attack Commands: Run with `sh`\n```sh\ncp PathToAtomicsFolder/T1027.002/bin/linux/test_upx_header_changed /tmp/packed_bin && /tmp/packed_bin\n```"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {},
   "outputs": [],
   "source": [
    "Invoke-AtomicTest T1027.002 -TestNumbers 2"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "### Atomic Test #3 - Binary simply packed by UPX\nCopies and then runs a simple binary (just outputting \"the cake is a lie\"), that was packed by UPX.\nNo other protection/compression were applied.\n\n**Supported Platforms:** macos\n#### Attack Commands: Run with `sh`\n```sh\ncp PathToAtomicsFolder/T1027.002/bin/darwin/test_upx /tmp/packed_bin && /tmp/packed_bin\n```"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {},
   "outputs": [],
   "source": [
    "Invoke-AtomicTest T1027.002 -TestNumbers 3"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "### Atomic Test #4 - Binary packed by UPX, with modified headers\nCopies and then runs a simple binary (just outputting \"the cake is a lie\"), that was packed by UPX.\n\nThe UPX magic number (`0x55505821`, \"`UPX!`\") was changed to (`0x4c4f5452`, \"`LOTR`\"). This prevents the binary from being detected\nby some methods, and especially UPX is not able to uncompress it any more.\n\n**Supported Platforms:** macos\n#### Attack Commands: Run with `sh`\n```sh\ncp PathToAtomicsFolder/T1027.002/bin/darwin/test_upx_header_changed /tmp/packed_bin && /tmp/packed_bin\n```"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {},
   "outputs": [],
   "source": [
    "Invoke-AtomicTest T1027.002 -TestNumbers 4"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "## Detection",
    "\n",
    "Use file scanning to look for known software packers or artifacts of packing techniques. Packing is not a definitive indicator of malicious activity, because legitimate software may use packing techniques to reduce binary size or to protect proprietary code."
   ]
  }
 ],
 "metadata": {
  "kernelspec": {
   "display_name": ".NET (PowerShell)",
   "language": "PowerShell",
   "name": ".net-powershell"
  },
  "language_info": {
   "file_extension": ".ps1",
   "mimetype": "text/x-powershell",
   "name": "PowerShell",
   "pygments_lexer": "powershell",
   "version": "7.0"
  }
 },
 "nbformat": 4,
 "nbformat_minor": 4
}